iMiiiiiniiiiiiuiiiii 

US006157720A 

United States Patent [i9] [11] Patent Number: 6,157,720 

Yoshiura et aL [45] Date of Patent: Dec. 5, 2000 



[54] METHOD AND APPARATUS FOR 
ENCRYPTING DATA 

[75] Inventors: Hiroshi Yoshiura, Kawasaki; Kazuo 
Takaragi, Ebina; Mayuko Shtmlzu, 
Sagamihara, all of Japan 

[73] Assignee: Hitachi, Ltd., Tokyo, Japan 

[21] Appl. No.: 08/806,609 

[22] Filed: Feb. 26, 1997 

[30] Foreign Application Priority Data 

Feb. 28, 1996 (JP] Japan 8-040931 

[51] Int. CI. 7 H04L 9/00 

[52] U.S. Ci 380/44; 380/42; 380/255; 

380/259; 380/268; 380/269; 713/200 

[58] Field of Search 380/28, 37, 42, 

380/43, 44, 45, 47, 255, 259, 268, 269; 

713/200 

[56] References Cited 

U.S. PATENT DOCUMENTS 

5,285,497 2/1994 Thatcher, Jr. 380/49 

5,351,299 9/1994 Matsuzaki et al 380/37 

5,479,512 12/1995 Weiss 380/28 

5,517,614 5/1996 Tajima et a) 395/180 

FOREIGN PATENT DOCUMENTS 

57764/94 11/1994 Australia . 

0635956 1/1995 European Pal. Off. . 

225741 9 A 5/1992 United Kingdom . 

W09 1/1 8460 11/1991 WIPO . 

9202089 2/1992 WIPO . 

W092/22159 12/1992 WIPO . 



9423511 10/1994 WIPO . 

OTHER PUBLICATIONS 

Takaragi, K., Hashimoto, K. and Nakamura, T, "Differential 
Cryptanalysis", IEICE transactions, vol. E 74, No. 8, Aug. 
1991. 

Bruce Schneier, "Applied Cryptography" Second Edition, 

175, 270-277, 513-514, Oct. 1995. 

Schneier, Applied Cryptography, 2nd edition, pp. 173 and 

174. 

Primary Examiner— -Tod R. Swarm 

Assistant Examiner— Paul E. Callahan 

Attorney, Agent, or Firm— Antonelli, Terry, Stout & Kraus, 

LLP 



[57] 



ABSTRACT 



In the process of compressing and encrypting data, without 
increase of a processing time, a cipher capability is secured 
against the latest cryptanalysis such as differential and linear 
cryptanalyses. The differential and linear cryptanalyses are 
executed to collect plural pair of plaintext and cryptosystem 
for the same key and perform the statistical operation for 
estimating the key. An I/O process is executed to receive 
plaintext data and generate a random number. Then, an 
operation is executed to generate a different key for each 
data on the random number and set the key to a work key. 
The encrypted intermediate result or the pre-encrypted result 
is fed back for frequently changing the work key. These 
series of operations makes it possible to protect the cipher- 
text from the differential and the linear cryptanalyses. On the 
work key, the changing operation is executed to change 
correspondence between the plaintext data and the com- 
pressed data in the compressing process, for providing the 
compression with the encryption. 

36 Claims, 6 Drawing Sheets 
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METHOD AND APPARATUS FOR the processing time. Hence, it is an object of the present 

ENCRYPTING DATA invention to improve the processing performance and the 

security of the cryptosystem by establishing the method for 

BACKGROUND OF THE INVENTION protecting ciphertext from the differential and the linear 

5 cryptanalyses without increasing the processing time. 

The present invention relates to data encryption, and more As described above, the differential and the linear cryp- 

partioilarly to the improvements in processing efficiency of tanalyscs arc executed to collect lots of inputs and outputs 

encryption and cipher strength to any crypt analysis. (plaintext and ciphertext) encrypted and decrypted through 

Furthermore, the present invention relates to the encryption the same key and perform a statistical operation about the 

involving data compression and more particularly to the 1Q inputs and outputs for estimating the key. In accordance with 

improvements in processing efficiency of data compression a first aspect of the present invention, an information pro- 

and encryption and strength to cryptanalysis. cessing method includes the steps of entering or receiving a 

With increase of the computerized central information of plaintext and encrypting the plaintext, wherein the method 

a system and the data communication through network, ullll f s 33 a ke y of a block °/ the P 1 ? mtext a * »ntenncdiate 
. J i • i j . i. • e result erven in the process of encrypting another block or a 

importance is now being placed on a technique of encrypting 1S ^ 8^ on ^ intermediale method m a 

data for keeping the computerized data from being tapped differcnt {q ^ ^ d . (fac 

and tampered. As describes m pages 27 lo 32 of Introduc ^ ^ m memod lhus disallows execu tion of the 

lion to Cryptography Theory Kyontu edit., 1993, the f orcgo ing statistical operation and aUows the ciphertext to 

encryption is roughly divided into a symmetric key crypto- be protecled f rom the differential and the linear cryptanaly- 

system and an asymmetric key cryptosystem. The present 2 o ses. 

invention is intended for the improvement in symmetric ^ foregoing first method disables to use the interme- 

cryptosystem which is suitable for encrypting a large diate result given in the process of encrypting another block 

amount of data. Later, a secret key cryptosystem is simply f or me first block of the plaintext to be encrypted. Hence, the 

called cryptosystem. key is constant. The first method, therefore, allows the key 

At first, the description will be oriented to the basic terms 25 of the first block to be estimated by collecting the inputs and 

about the cryptosystem. As is described in pages 33 to 59 of the outputs of the first block over lots of plaintext and the 

the foregoing writing, the cryptosystem is executed to con- overall ciphertext to be cryptanalyzcd with the estimated key 

vert plaintext into ciphertext through secret parameters. The as a clue. In order to overcome this problem, in accordance 

decryptosystem is executed to transform the ciphertext into with a second aspect of the present invention, an information 

the original plaintext through the effect of reverse transform 30 processing method includes the steps of entering or reccrv- 

with the same secret parameters as those used in the cryp- *S «»» Pl** C3rt ^ encrypting the plaintext, wherein the 

ry* 5 . ii ii j method of the second aspect is executed to generate a 

tosystem. The secret parameters arc generally called a random number each P laintext and ^ £ random 

crypt-key (or just a key). The encryptmg procedure is number ^ ^ q{ ^ ^ Wock q{ ^ {q be 

composed of repetition of one or more kinds of fundamental cncryptcd> ^ mcthodj therefore, has a different 

functions. The repetitive times are called rounds. In applying 35 key of the first b , QCk to each plaiotext and mus enables t0 
the encrypting procedure, the input data is divided into parts overcome the problem of the forcgoing first method, 
each of which has the same size and the encrypting proce- Furl htT, the encryption is often executed in association 
dure is applied to each data part. Each data part is called a with data compressio[1 . As is described in pages 21 to 247 of 
crypt-block (or just a block). «-n, e Data Compression Boole" in Japanese Toppan (1994), 

In designing and promoting the encryption, an important 40 the compression is executed to replace a bit train of the 
factor is a defense for various kinds of decrypting methods. plaintext with a shorter bit train. A plurality of correspon- 
The most frequently used decrypting method is an extensive dences are provided between the bit trains of the block of the 
search for keys. In recent days, however, remarks are placed plaintext and the compressed data. In accordance with a 
on more efficient differential cryptanalysis and linear cryp- third aspect of the invention, the information processing 
tanalysis than the extensive search. 45 method includes the steps of entering or receiving data and 

. c ,. . „ . compressing the data, wherein the method of the third aspect 

In the pages 163 to 166 of the aforemenUoned writing and ^ ^ mmsfOJtAm between J bit 

the linear cryptana lysu i of the DES (Data Encryption ^ Qf ^ Wock rf ^ afld ^ resscd data 

Standard) published in "The 1993 Symposium on Cryptog- depending upon the intermediate result given in the process 
raphy and Information Security", the differential and the ^ of cncrypling another block. The third aspect method, 
linear cryptanalyses utilize the correlation among the therefore, enables to change the correspondence between the 
plaintext, the ciphertext, and the keys, which are proper lo bit train of the block of the plaintext and the bit train of the 
the encrypting system, and is executed to collect lots of compressed data for each block depending upon the plain- 
inputs and outputs (plaintext and ciphertext) to be encrypted text data. Further, the intermediale result given in the 
or decrypted by the same key and perform the statistical process of encrypting the data cannot be estimated if the key 
operation about these inputs and outputs for estimating the is obtained. It is therefore impossible to grasp how the 
key. correspondence between the bit train of the block of the 

The conventional method for defending the differential or plaintext and the bit train of the compressed data is changed 
linear cryptanalysis in the conventional encrypting system is u L nle& ? the ke y is obtained. The third aspect method 
executed to reduce the correlation among the plaintext, the ffl lhcrcfore ' cnabl « to u usc thc compression as a kind of 
ciphertext, and the key by increasing the rounds. 60 cryptosystem offer the same effect as the increase of the 

rounds, and thereby prevent the differential and the linear 
SUMMARY OF THE INVENTION cryptanalyses. 

The processing time of encryption or decryption is pro- BRIEF DESCRIPTION OF THE DRAWINGS 

portional to the rounds. The defense for the differential and 65 FIG. 1 is a block diagram showing a functional configu- 

the linear cryptanalyses through the effect of the increase of ration according to a first embodiment of the present inven- 

the rounds entails large shortcoming, thai is, the increase of tion; 
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FIG. 2 is a flowchart showing an operation of a control common key 114. The work key 116 is executed by the 

process executed in the method and the apparatus according method as described in Institution for Electronic, Informa- 

to the first embodiment of the present invention; tion and Communication Engineers, Transactions, Vol. E74, 

FIG. 3 is a diagram showing a Huffman tree indicating No. 8, pp2l53 to 2159. 

correspondence between plaintext data and compressed data 5 The correspondence changing portion 107 is executed to 

used according to the first embodiment of the present change the correspondence 115 between the bit trains of the 

invention; plaintext data and the compressed data on the work key. A 

FIG. 4 is a diagram showing a transformation of the specific example of the correspondence depends on a spe- 

Huffman tree used in the method and the apparatus accord- cific compression 108. In this embodiment, the compressing 

ing to the first embodiment of the present invention; 10 portion 108 utilizes the Huffman compression. The corre- 

FIG. 5 is a block diagram showing a functional configu- spondence between the bit trains of the plaintext and the 

ration according to a second embodiment of the present compressed data in the process of the Huffman compression 

invention' and ^ represented by tree-structure data called a Huffman tree. 

FIG. 6*is a flowchart showing an operation of a control ™* Huf * man is changed with the change of the 

j . . , , . correspondence 107. The correspondence changing portion 

process executed in the method and the apparatus according 15 m ^ fce discussed below 

to the second embodiment or the present invention. „ . tfi0 ... „ „ 

The compressing portion 108 utilizes the Huffman com- 

DESCRIPTION OF THE PREFERRED pression as mentioned above. According to the Huffman tree 

EMBODIMENTS of the correspondence 115, the bit train of the plaintext data 

Two embodiments of the present invention will be is replaced with the bit train of the compressed data for 

described with reference to FIGS. 1 to 6. compressing the plaintext data. The Huffman compression is 

FIG. 1 is a functional arrangement of the first embodiment realized b V < he conventional method as described in pages 

of the present invention. A block 101 denotes a completed 21 10 103 of " Data Compression Handbook", Toppan 1994. 

information processing system. A block 102 is a process The pre-encrypting portion 109 is executed to encrypt the 

implemented by a centra] processing unit and an input/ „ data with the work key U 6 as a parameter as described in thc 

output (I/O) unit. The block 102 includes an I/O portion 103, P^ges 33 to 59 of "Introduction to Cipher Theory", Kyouritu, 

a control portion 104, a random number generating portion edition., 1993. Like the pre-encrypting portion 109, the 

105, a key generating portion 106, a correspondence chang- post-encrypting portion 110 is executed to encrypt the data 

ing portion 107, a compressing portion 108, a pre-encrypting with the work key 116 as a parameter by the conventional 

portion 109, and a post-encrypting portion 110. A block 111 30 rnethod. 

is a storage unit such as a RAM or a disk and stores plaintext FIG. 2 shows the detail of the operation of the control 

data 112, random numbers 113, common keys 114, infor- portion 104. At a step 201, the random number generating 

mation regarding correspondences 115, work keys 116, and portion 105 is started for generating a random number. At a 

compressed and encrypted data 117. step 202, the key generating portion 106 is started for 

The I/O portion 103 receives a plaintext data from the 35 generating the work key and then setting the initial value of 

outside and puts it in the memory 111. Further, the I/O lnc work ke y U 6 ; Thxn, at a ste P 203 > thc control portion 

portion 103 receives a compressing and encrypting instruc- 104 reads the plaintext data 112. 

tion and passes it to the control portion 104. On the other At a step 204, when the compressing portion 108 is 

hand, the I/O portion 103 reads the compressed and started, the next symbol of the plaintext data is compressed, 

encrypted data 117 from the memory 111 and outputs it to 40 Herein, for compressing the plaintext data, the compressing 

the outside. When the control portion 104 receives the portion 108 is executed to transform the symbol (bit train) of 

compressing and encrypting instruction from the I/O portion the plaintext data into the compressed bit train according to 

103, the control portion 104 starts the random number the correspondence 115. At a step 205, it is determined if 

generating portion 105 for generating a random number and more of the compressed data than the block size for cryp- 

then starts the key generating portion 106 for generating a 45 tanalysis is stored. If so, the operation goes to a step 206. If 

work key. Next, the control portion 104 reads the plaintext the compressed data is less than the block size, the operation 

data 112 from the memory 111 and iteratively executes the of the step 204 is repeated. 

five processes including the compression 108, the pre- At a step 206, one block of the compressed data is applied 

encryption 109, the post-encryption 110, the correspondence to the pre-encrypting portion 109 for encrypting the block, 

change 107, and the work key change, thereby compressing 50 The pre-encrypting portion 109 uses the work key 116 as a 

and encrypting the plaintext data. The control portion 104 parameter. At a step 207, the result of the pre-encrypting 

will be discussed below. portion 109 is stored. At a step 208, the pre-encrypted result 

In order to implement thc random number generating is applied to the post-encrypting portion 110 for encrypting 
portion 105, it is possible to use the conventional method for it. Herein, like the pre-encrypting portion 109, the post- 
generating a random number as is described in pages 61 to 55 encrypting portion 110 uses the work key 116 as a parameter. 
86 of Japanese literature "Introduction to Cryptography Then, the additional data of the work key to the compressed 
Theory", Kyorilu edition (1993). As an example, this and encrypted data is stored as the compressed and 
method is executed to set a proper initial value to a random encrypted data 117 in the memory 111. 
number 113 in the memory 111, read the previous random At a step 209, the correspondence 115 between the bit 
number 113 each time the random number generating por- so trains of the plaintext data and the compressed data is 
tion 105 is started, apply the cryptanalysis to the previous changed on the pre-encrypted result. At a step 210, the work 
random number 113 inside of the random number generating key 116 is replaced with the pre-encrypted result. Then, at a 
portion 105, and set the encrypted result as a new random step 211, it is determined if the overall plaintext data is 
number. Further, the random number 113 in thc memory 111 processed. If yes, the process is terminated. If no, the 
is replaced with a new random number. 55 operation goes to a step 212. 

The key generating portion 106 is executed 10 generate At the step 212, it is determined if a given number of 

the work key 116 from the random number 113 and the encrypting blocks are processed. If yes, the operation returns 
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to the step 201. If no, the operation returns to the step 204. 
The reason why the operation returns to the step 201 will be 
described below. Computer programs implementing the 
steps of FIG. 2 may be stored in a recording medium such 
as a semiconductor memory, a floppy disk or a CD-ROM. 

In this embodiment, the intermediate result (pre- 
cncrypted result) in the process of encrypting one block is 
made to be a parameter for compressing and encrypting the 
next block. In decompressing and restoring the compressed 
and encrypted data that is an output of this embodiment, it 
is necessary to use the same parameter as that used in 
compressing and encrypting the data. Hence, the interme- 
diate result given in the process of decrypting one block is 
required to be set as a parameter for decrypting and decom- 
pressing the next block. Hence, if one erroneous bit appears 
in the compressed and encrypted data while (he data is 
communicated or stored in a file, the intermediate result in 
the decrypted block containing the erroneous bit is made 
erroneous. As a result, the parameter for decrypting and 
decompressing the next block is made erroneous. This error 
is propagated to the last block of the data. 

The improvement in the error correcting technique of the 
communication and the file storage results in substantially 
protecting an application layer for which the present inven- 
tion is intended, from being erroneous. Hence, the error 
propagation is negligible in any system to which the present 
invention applies. However, the applied systems may be 
provided where no error correction is done. If the present 
invention is applied to such systems, it is necessary to 
restrict the number of the error propagated blocks. 

The foregoing returning operation from the steps 212 to 
201 meets with this requirement. That is, if the number of 
the error propagated blocks reaches a given value, at the 
steps 201 and 202, the operation is executed to reset the 
work key to a value that is independent of the intermediate 
result in the encryption of the previous block, which makes 
it possible to avoid the error propagation. 

Next, with reference to FIGS. 3 and 4, the operation of the 
correspondence changing portion 107 will be described. In 
the Huffman compression, the correspondence 115 between 
the bit trains of the plaintext data and the compressed data 
is represented by the Huffman tree. FIG. 3 shows an example 
of a Huffman tree. This Huffman tree is a binary tree in 
which a right and a left branches are spread at each inter- 
mediate node. The right and the left branches contain a value 
of 0 or 1, respectively. The end node represents one symbol 
of the plaintext data. The connection of the branch values 
from the end node to the root node represents a bit train of 
the compressed data for the symbol represented by the end 
node. For example, the bit train of the compressed data for 
i is 1000 and the bit train of the compressed data for h is 010. 

The correspondence changing portion 107 is started by 
the control portion 104. The correspondence changing por- 
tion 107 is executed to add numbers to the intermediate 
nodes of the Huffman tree. Specifically, (he nodes are 
numbered in such a manner that a first is added to the root 
node, a second and a third are added to a second-stage node 
from left to right, a fourth and a fifth are added to a 
third-stage node from left to right, and so forth. That is, the 
numbering is executed from top to down and from left to 
right. Then, the values given to (he right and the left 
branches of the intermediate node are replaced with each 
other according to the work key. Specifically, if the i-th bit 
of the work key is 1, the values given to the right and the left 
branches of the i-th intermediate node are replaced with each 
other, (if it is zero, no replacement is done.) 
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In FIG. 4, a block 401 indicates a transformation of the 
Huffman tree shown in FIG. 3 on the assumption that the 
work key is 1100100 .... A block 402 indicates a 
transformation of the Huffman tree shown in the block 401 
on the assumption that the work key is 1010110 .... The 
work key is assumed to have a sufficiently large number of 
bits and if any bit of the work key exceeds the intermediate 
node number of the Huffman tree, the bit is ignored in the 
correspondence changing portion 107. 

The foregoing description is concerned with the first 
embodiment of the present invention. The conventional 
encrypting method has been arranged to secure more rounds 
for preventing the linear and the differential cryptanalyses. 
This preventing method, however, has a drawback of 
increasing the processing time. On the other hand, the 
method of the foregoing embodiment has been arranged to 
change the work key for each block. This change makes it 
impossible to perform a statistical operation for estimating 
the key, thereby keeping the ciphertext data from the dif- 
ferential and (he linear cryptanalyses. The work key for each 
block is an intermediate result given in the process of 
encrypting the previous block. This method, hence, does not 
need an extra processing time for changing the work key. As 
described above, the method of this embodiment enables to 
prevent the differential and the linear cryptanalyses without 
any increase of the processing time, thereby improving the 
cipher performance and the strength capability to the cryp- 
tanalysis. 

Further, according to the first embodiment, in the com- 
pressing process, the correspondence between the plaintext 
data and the compressed data may be changed for each block 
depending on the intermediate result given in the process of 
encrypting the previous block. The intermediate result can- 
not be estimated unless the key is obtained. It means that the 
correspondence between the plaintext data and the com- 
pressed data is not estimated. The method of this embodi- 
ment can use the compression as a kind of encryption. The 
compression may present the same effect as the increase of 
the rounds and be used for keeping the ciphertext data from 
the differential and the linear cryptanalyses. 

FIG. 5 shows a functional arrangement of a method 
according to a second embodiment of the present invention. 
This is intended for decrypting and decompressing the 
encrypted data compressed by the method of the first 
embodiment for obtaining the original plaintext data. A 
block 501 denotes a completed information processing sys- 
tem. A block 502 denotes a process implemented by a central 
processing unit and an I/O unit, which process includes an 
I/O portion 503, a control portion 504, a random number 
reading portion 505, a key generating portion 506, a corre- 
spondence changing portion 507, a decompressing portion 
508, a pre-decrypting portion 509, and a post-decrypting 
portion 510. A block 511 denotes a memory realized by a 
RAM, a disk, or the like. The memory. Ill stores com- 
pressed and encrypted data 512, a random number 513, a 
common key 514, a correspondence 515, a work key 516, 
and plaintext data 517. 

The I/O portion 503 is executed to apply the compressed 
and encrypted data from the outside and store it in a memory 
511. At a time, the I/O portion 503 is executed to receive a 
decrypting and decompressing instruction and pass it to the 
control portion 504. On the other hand, the I/O portion 503 
is also executed to read the plaintext data 517 from the 
memory 5U and put it to the outside. When the control 
portion 504 receives the decrypting and decompressing 
instruction from the I/O portion 503, the control portion 504 
is executed to start the random number reading portion 505 
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and read a random number added to the compressed and 
encrypted data 512. Then, the control portion 504 is 
executed to start the key generating portion 506 for gener- 
ating the work key. Next, the control portion 504 is also 
executed to read the compressed and encrypted data 512 
from the memory 511 and repeat five operations comprised 
of the pre-decryption 509, the post-decryption 510, the 
decompression 508, the correspondence change 507, and the 
change of the work key, to decrypt and decompress the 
compressed and encrypted data. The control portion 504 will 
be discussed later in detail. 

The random number reading portion 505 is executed to 
read the random number added to the compressed and 
encrypted data 512. This random number has been used for 
generating the work key in the method of the first embodi- 
ment. 

The key generating portion 506 is executed to generate a 
work key 516 from the random number 513 and the common 
key 514. The common key 514 has the same value as the 
common key 114 used in the first embodiment. Hence, since 
the random number and the common key are the same as 
those used in the first embodiment, the work key 516 to be 
generated by the method of the second embodiment is the 
same as the work key 116 used in the method of the first 
embodiment. 

The correspondence changing portion 507 is executed to 
change a correspondence 515 between the bit trains of the 
compressed data and the plaintext data on the basis of the 
work key. The concrete correspondence depends on the 
concrete decompression 508. The method of this, second 
embodiment uses the Huffman decompression for the 
decompressing portion 508. As described in pages 21 to 103 
of "The Data Compression Book" Toppan (1994), the Huff- 
man decompression is a reverse transform of the Huffmao 
compression. Like the first embodiment, the correspondence 
between the bit trains of the compressed data and the 
plaintext data is represented by a Huffman tree. Hence, the 
correspondence changing portion 507 is executed to change 
the Huffman tree in a similar manner to the correspondence 
changing portion 107 included in the method of the first 
embodiment. Since the correspondence changing portion 
507 uses the same work key and method of changing the 
Huffman tree as those used in the method of the first 
embodiment, the changed Huffman tree is the same as that 
of the first embodiment. 

The decompressing portion 508 is executed to perform the 
Huffman decompression as mentioned above. That is, 
according to the Huffman tree of the correspondence 515, 



20 



25 



30 



35 



45 



decryption is a reverse transform of the pre-encryption 
therein, and the same work key as that of the first embodi- 
ment is used for the decryption. Hence, the method of the 
second embodiment enables to decrypt the compressed and 
encrypted data into the compressed data. 

FIG. 6 shows the detail of the operation of the control 
portion 504. At a step 601, the operation is executed to start 
the random number reading portion 505 for reading the 
random number. At a step 602, the key generating portion 
506 is started for generating the work key. As a result, the 
initial value of the work key 516 is set as the same value as 
the initial value of the work key 116 used in the first 
embodiment. Then, at a step 603, the operation is executed 
to read the compressed and encrypted data 512. 

At a step 604, the pre-decrypting portion 509 is started for 
decrypting one block of the compressed and encrypted text. 
The pre-decrypting portion 509 uses the work key 516 as a 
parameter. At a step 605, the pre -decrypted result is stored. 
The pre-decrypting portion 509 is a reverse transform of the 
post-decrypting portion 110 included in the first embodi- 
ment. Hence, the pre-decrypted result has the same value as 
the value immediately before the post-decryption performed 
in the first embodiment, that is, the pre-decrypted result. At 
a step 606, the post-decrypting portion 510 is started to 
further decrypt the result of the pre-decrypting portion 509. 
The post-decrypting portion 510 is a reverse transform of the 
pre-decrypting portion 110 included in the first embodiment. 
Hence, the post-decrypted result is the same as the value 
immediately before the pre-decryption performed in the first 
embodiment, that is, the compressed text of one block 
obtained by the compressing portion 108. 

At a step 607, the decompressing portion 508 is started to 
decompress one symbol from the head of the compressed 
text of one block. The decompressing portion 508 is a 
reverse transform of the compressing portion 108 included 
in the first embodiment. As mentioned above, the Huffman 
tree for representing the correspondence between the com- 
pressed text and the plaintext is the same as the tree used in 
the first embodiment. At the step 607, the operation is 
executed to obtain the value before the compression, that is, 
the symbol of the plaintext used in the first embodiment. At 
a step 608, it is determined if the remains of the compressed 
data of one block are larger than or equal to one symbol of 
the plaintext. If yes, the operation returns to the step 607 at 
which the decompression is repeated. If no, the operation 
returns to the step 609. At this step, the operation is executed 
to store the remaining data of one block of the compressed 
text and add it to the head of the next block of the 



the bit train of the compressed data is replaced with that of 50 compressed text if the block is obtained, 

the plaintext data to decompress the compressed data. The At the step 609, the correspondence changing portion 507 

decompressing portion 508 is a reverse transform of the is started for changing the correspondence 515, that is, the 

compressing portion 108 and uses the same Huffman tree as Huffman tree depending on the pre-decrypted result. The 

that of (he first embodiment. Hence, the decompressing pre-decrypted result is the same as the result pre-encrypled 

portion 508 enables to transform the data compressed by the S5 by the first embodiment. The correspondence 515 before 

method of the first embodiment back to the original data. change is the same as the correspondence 115 of the first 

The pre-decrypting portion 509 is a reverse transform of embodiment. Hence, the correspondence 515 is the same as 

the post-encrypting portion included in the method of the *at of the first embodiment even after the correspondence 

first embodiment. The pre-decrypting portion 509 is 515 is changed. At a step 610, the work key 516 is replaced 

60 with the pre-decrypted result. The pre-decrypted result has 



executed to decrypt the data with the work key 516 as a 
parameter. The post-decrypting portion 510 is a reverse 
transform of the pre-encrypting portion included in the 
method of the first embodiment. The post-decrypting portion 
510 is executed to decrypt the data with the work key 516 
as a parameter. As mentioned above, in the second 
embodiment, the pre-decryption is a reverse transform of the 
post-encryption included in the first embodiment, the post- 



the same value as the pre-encrypted result used in the 
method of the first embodiment. Hence, the work key 516 
has the same value as that used in the method of the first 
embodiment even after it is changed. 

At a step 611, it is determined if the overall data of the 
compressed and encrypted text is processes. If yes, the 
operation is terminated. If no, the operation goes to a step 
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612. At this step 612, it is determined if a given number of 4. An information processing method comprising the 

blocks have been processed. If yes, the operation returns to steps of: entering or receiving data, compressing said data, 

the step 601 at which the random number is newly read from dividing said data into plural blocks, and sequentially 

the compressed and encrypted text 512. If no, the operation encrypting said blocks, 

returns to the step 604 al which the the next block of the 5 said data encrypting step comprising determining a cor- 

compressed and encrypted data is decrypted. The number of respondence between a bit train of a block of said data 

blocks used for the determination at the step 612 is set as the to be compressed and a bit train of the compressed data 

same value as that used in the method of the first embodi- depending on an intermediate result given in the pre- 

ment. As a result, the period of updating the random number vious encrypting process of one or more compressed 

is the same as that used in the method of the first embodi- 1Q and encrypted blocks. 

ment. 5. An information processing method as claimed in claim 

Computer programs for implementing the steps of FIG. 6 4, wherein the operation at said encrypting step is composed 

may be stored in a recording medium to be loaded in the of n processes, wherein ml, m2, . . . , mk is an integer of 

svstem l^mk^n and the intermediate result in said encrypting 

Tne foregoing description has been concerned with the 15 * aD ml-th processed result an m2-th processed 

j L j- . * j -1 j . i* . result, .... an mk-th processed result, 

second embodiment. As described above, according to the £ I . / .. r ... , , - , . 

, ,. , LJ LL j. 6. An information processing method as claimed in claim 

second embodiment, the method has been arranged to 4 wherem ^ ft ^ ^ Qn * e ^ ^ eter for 

decompress and decrypt the data compressed and encrypted cncry tion or lhc correspondence between the bit train of the 

by the method of the first embodiment for recovering the jnput data and the bit train of the compressed data is changed 

original plaintext data. Many of the currently used encryp- 20 int0 a vahie lhat does not depend on ±t intermediate result 

tions are arranged to repeat the fundamental functions for g j vcn m sa i d cnC rypting process. 

encrypting the plaintext data or repeat the reverse functions 7. An information processing method comprising the 

of those fundamental functions for decrypting the ciphertext steps of: entering or receiving data, dividing said data into 

data. The repetitive times of the reverse functions used in the plural blocks, and compressing and encrypting said blocks 

decryption are equal to the repetitive times of the functions 25 in parallel, 

used in the encryption. The method of the first embodiment sa id encrypting step comprising determining a correspon- 

has been arranged to cope wilh the differential and the linear dence between a bit train of a block of the data to be 

cryptanalyses without having to increase the rounds compressed and a bit train of the compressed data 

(repetitive times of the fundamental functions). Hence, the based on intermediate results given in the previous 

method of the second embodiment does not need to increase 30 encrypting process of one or more other blocks, 

the rounds for the decryption. As described above, the g information processing method as claimed in claim 

methods of the first and the second embodiments enable to 7_ wherein the operation at said encrypting step is composed 

encrypt the data and decrypt it as keeping the high-level 0 f n processes, wherein ml, m2, . . . , mk is an integer of 

encryption without having to increase the processing time. l^mk§n and the intermediate result in said encrypting 

As is obvious from the foregoing description, the method 35 process is an ml-lh processed result, an m2-th processed 

according to the present invention is arranged to prevent the result, . . . , an mk-th processed result, 

differential and the linear cryptanalyses without increasing 9. An information processing method as claimed in claim 

the processing time in the encrypting process and the 7, wherein at a time point on the process, the parameter for 

compressing and encrypting process. This makes it possible encryption or the correspondence between the bit train of the 

to improve the processing performance and the cipher 40 input data and the bit train of the compressed data is changed 

strength to the differential and linear cryptanalyses. The into a value that does not depend on the intermediate result 

information processing system according to the present given in said encrypting processing, 

invention may include a usually used hardware or software 10, An information processing method comprising the 

means for allowing down-loading of the programs imple- steps of: 

menting the steps of FIG. 2 and/or FIG. 6. 45 entering or receiving data; 

What is claimed is: entering or receiving a secret key; 

1. An information processing method comprising the encryplmg at l ea5t one portion of said data by using said 
steps of: entering or receiving data, compressing said data, k 0f a value derived from the key . 

and encrypting said compressed data, providing as a parameter for encrypting another portion of 

said data encrypting step comprising determining a cor- 50 ^ ^ an intermediate result from the process 0 f 

respondence between a bit train of a portion of said data encrypting a portion other than said another portion of 

to be compressed and a bit tram of a portion of the ^ data Qr fl vaJue derived fnjm ^ intermediate 

compressed data depending on an intermediate result result* and 

STdato^ Pr0CeSS ° f eDCryPting an ° lber POrti ° D ° f 55 encrypting said another portion using said parameter, 

2. Z information processing method as claimed in claim wbercin * a time P oint ?? ; he "j? P aram f r fo ' 
1, wherein the operation at said encrypting step is composed encryption ,s changed into a value that does not depend 
of n processes, wherein ml, m2, . . . , mk is an integer of on thc intermediate result given in said encryptmg 
l^rak^n and the intermediate result in said encrypting „* >r ? Ce ^ S V . L , ■ ■ 
process is an ml-th processed result, an m2-th processed 60 U ' f '^formation processing method comprising the 
result, . . . , an mk-th processed result. ^P 5 ; . , 

3. An information processing method as claimed in claim entering or receiving data; 

1, wherein al a time point on the process, the parameter for dividing said data into plural blocks; 

encryption or the correspondence between the bit train of the entering or receiving a secret key; 

input data and the bit train of the compressed data is changed 65 encrypting the first block by using said secret key and 

into a value that does not depend on the intermediate result sequentially encrypting other blocks through said 

given in said encrypting process. encrypting step; 
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providing as a parameter for encrypting one of said blocks 
an intermediate resultfs) given in one of said blocks, an 
intermediate result(s) given in the process of encrypting 
one or more blocks previous to said block or a values(s) 
derived on the intermediate results); and 

encrypting each of said blocks using said parameter to 
encrypt said data, 

wherein at a time point on the process, the parameter for 
encryption is changed into a value that does not depend 
on the intermediate result given in said encrypting 
process. 

12. An information processing method comprising the 
steps of: 

entering or receiving data; 
dividing said data into plural blocks; 
entering or receiving a secret key; and 
encrypting said blocks in parallel wherein at least one of 

said blocks is encrypted by using said secret key, 
wherein said encrypting step comprises the steps of: 
using as a parameter for encrypting one of said at least 
one of said blocks an intermediate result given 
during encrypting one or more blocks other than said 
at least one of said blocks or a value derived from the 
intermediate result, 
wherein at a time point on the process, the parameter for 
encryption is changed into a value that docs not depend 
on the intermediate result given in said encrypting 
process. 

13. An information processing method comprising the 
steps of: 

entering or receiving data; 

entering or receiving a secret key; 

encrypting at least one portion of said data by using said 
key or a value derived from the key; 

providing as a parameter for encrypting another portion of 
said data, an intermediate result from the process of 
encrypting a portion other than said another portion of 
said data or a value derived from the intermediate 
result; and 

encrypting said another portion using said parameter, 
wherein the operation at said encrypting step is composed 
of n processes, wherein ml, m2, . . . , mk is an integer 
where l^mk^n and the intermediate result in said 45 
encryption is an ml-th processed result, 
wherein at a time point on the process, the parameter for 
encryption or the correspondence between the bit train 
of the input data and the bit train of the input data and 
the bit train of the compressed data is changed into a 
value that does not depend on the intermediate result 
given in said encrypting process. 

14. An information processing method comprising the 
steps of: 

entering or receiving data; and 
encrypting said data, 

wherein said data encrypting step comprises: 
generating a random number, and 
setting said random number or a value derived on said 

random number as a parameter for encrypting said 

data, 

wherein said random number is generated by repetitively 
performing an encrypting process about an initial 
value. 

15. An information processing method as claimed in 
claim 14, wherein plural random numbers are obtained by 
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repetitively performing the operation of the step for gener- 
ating the random number and said random numbers are set 
as parameters for encrypting various portions of said data. 

16. An information processing method as claimed in 
claim 14, wherein the parameter for encrypting said data or 
the information required for deriving the parameter is added 
to the encrypted data. 

17. An information processing method as claimed in 
claim 14, wherein the parameter for encrypting said data or 
the information required for deriving the parameter is used 
for decrypting said encrypted data. 

18. An information processing method comprising the 
steps of: 

entering or receiving data; and 
encrypting said data, 

wherein said data encrypting step comprises: 
generating a random number, and 
setting said random number or a value derived on said 

random number as a parameter for encrypting said 

data, 

wherein plural random numbers are generated by repeti- 
tively performing the operation of the step for gener- 
ating said random number and said random numbers 
are set as parameter for encrypting various portions of 
said data. 

19. An information processing method as claimed in 
claim 18, wherein the parameter for encrypting said data or 
the information required for deriving the parameter is added 
to the encrypted data. 

20. An information processing method as claimed in 
claim 18, wherein the parameter for encrypting said data or 
the information required for deriving the parameter is used 
for decrypting said encrypted data. 

21. An information processing method comprising the 
steps of: 

entering or receiving data; and 
encrypting said data, 

wherein said data encrypting step comprises: 
generating a random number, and 
setting said random number or a value derived on said 

random number as a parameter for encrypting said 

data, 

wherein the parameter for encrypting said data or the 
information required for deriving the parameter is 
added to the encrypted data. 

22. An information processing method as claimed in 
claim 21, wherein the parameter for encrypting said data or 
the information required for deriving the parameter is used 
for decrypting said encrypted data. 

23. An information processing apparatus comprising: 
means for catering or receiving data; 

first means for encrypting said data; 
second means for encrypting said data; and 
means for entering an intermediate result on the encrypt- 
ing process given by said first encrypting means into 
the second encrypting means as a parameter. 

24. An information processing apparatus as claimed in 
claim 23, further comprising means for changing a value 
stored in means for storing said intermediate result on the 
encrypting process into a value that does nol depend on said 
intermediate result. 

25. An information processing apparatus as claimed in 
claim 23 further comprising means for calculating or storing 
a value that does not depend on the intermediate result on the 
encrypting process and means for entering said value as a 
parameter into said encrypting means. 
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26. An information processing apparatus comprising: 
means for entering data; 

means for compressing said data, and means for encrypt- 
ing said data; 

means for storing an intermediate result on the encrypting 
process given by said encrypting means; and 

means for entering said stored intermediate result or a 
value that depends on said intermediate result to said 
compressing means as a parameter. 

27. An information processing apparatus as claimed in 
claim 26, further comprising means for changing a value 
stored in means for storing said intermediate result on the 
encrypting process into a value that does not depend on said 
intermediate result. 

28. An information processing apparatus as claimed irj 
claim 26, further comprising means for calculating or stor- 
ing a value that does not depend on intermediate result on 
the encrypting process and means for entering said value as 
a parameter into said encrypting means. 

29. An information encrypting apparatus comprising: 
means for entering or receiving data; 

first encrypting means for encrypting said data; 
second encrypting means for encrypting a value to be 
stored; 

means for entering an output value of said second 
encrypting means or a value that does not depend on the 
output value as a parameter; and 



10 



25 



train of a block of the input data to be compressed and a bit 
train of the compressed data on the intermediate result of one 
or more compressed and encrypted blocks before said block 
being compressed. 

34. An information encrypting method comprising the 
steps of entering or receiving data, dividing said data into 
plural blocks, compressing and encrypting said blocks in 
parallel, and establishing correspondence between a bit train 
of one block of the input data to be compressed and a bit 
train of said compressed data on the basis of the intermediate 
results of one or more encrypted blocks other than said block 
being compressed. 

35. A method of information processing comprising the 
steps of: 

receiving data, the data including a plurality of blocks; 
generating a work key for a first block of data; and 
encrypting each block of data, the step of encrypting 
including the steps of: 

performing a first encryption step on the block using 
the work key as a parameter to generate an interme- 
diate encryption result; 

performing a second encryption step on the intermedi- 
ate encryption result for the block using the work key 
as a parameter; and 

replacing the work key with the intermediate encryp- 
tion result to be used as a parameter for encrypting 
the next data block. 



_ . , , 36. A method of information processing comprising the 

means for storing an output value of said second encrypt- 30 s g 

ing means, 



30. An information processing apparatus comprising: 
means for entering or receiving data; 

means for encrypting said data; 

means for storing an intermediate result on the encrypting 
process given by said encrypting means; 

means for entering said stored intermediate result or a 
value that depends on said intermediate result as a 
parameter to said encrypting means; and 

means for changing a value stored in said means for 
storing the intermediate result on the encrypting pro- 
cess into a value that does not depend on the interme- 
diate result on the encrypting process. 

31. An information apparatus as claimed in claim 29, 
further comprising means for decrypting data with said 
parameter or the information required for calculating said 
parameter. 

32. An information encrypting method comprising the 
steps of: 

entering or receiving data, compressing said data, and 
encrypting said compressed data; 

said data encrypting step comprising determining corre- 
spondence between a bit train of a portion of the input 
data to be compressed and a bit train of the compressed 
data on the intermediate result given in the process of 
encrypting another portion of said data. 

33. An information encrypting method comprising the 
steps of: entering or receiving data, compressing said data, 
dividing said data into blocks, and sequentially encrypting 
said blocks, and determining correspondence between a bit 
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receiving data, the data including a plurality of blocks; 
generating a work key for a first block of data; 
encrypting a first group of data blocks, each data block 
being encrypted according to the following steps: 
performing a first encryption step on the block using 
the work key as a parameter to generate an interme- 
diate encryption result; 
performing a second encryption step on the intermedi- 
ate encryption result for the block using the work key 
as a parameter; and 
replacing the work key with the intermediate encryp- 
tion result to be used as a parameter for encrypting 
the next data block; 
generating a new work key that is independent of the 
intermediate results of the first group of data blocks 
after all blocks in the first group have been encrypted; 
and 

encrypting a second group of data blocks, each data block 
being encrypted according to the following steps: 
performing a first encryption step on the block using 
the new work key as a parameter to generate an 
intermediate encryption result; 
performing a second encryption step on (he intermedi- 
ate encryption result for the block using the new 
work key as a parameter; and 
replacing the new work key with the intermediate 
encryption result to be used as a parameter for 
encrypting the next data block. 
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